Bug 1874066

Summary:	[Assisted-4.5 ] assisted-service API does not prevent a request with another user's credentials from updating host installation progress
Product:	OpenShift Container Platform	Reporter:	nshidlin <nshidlin>
Component:	assisted-installer	Assignee:	Fred Rolland <frolland>
assisted-installer sub component:	assisted-service	QA Contact:	Yuri Obshansky <yobshans>
Status:	CLOSED ERRATA	Docs Contact:
Severity:	unspecified
Priority:	urgent	CC:	alazar, aos-bugs
Version:	4.5
Target Milestone:	---
Target Release:	4.6.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:	OCP-Metal-juke-3
Fixed In Version:		Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-10-27 16:36:14 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description nshidlin 2020-08-31 13:31:44 UTC

Description of problem:
request: 

method: PUT

url: "https://api.stage.openshift.com/api/assisted-install/v1/clusters/{cluster_id}/hosts/{host_id}/progress"

X-Secret-Key: another user's pull secret

body:{"current_stage": "Failed"}

was not rejected by the API and the host moved into error state.  

Version-Release number of selected component (if applicable):
staging environment
{
  "Username": "nshidlin",
  "CurrentApp": "Clusters",
  "ApplicationPath": "/openshift/assisted-installer/clusters/befcaf85-3b9a-457f-9699-50ac34f24a58",
  "apps": [
    {
      "name": "Chrome",
      "path": "apps/chrome/app.info.json",
      "version": "38bcae2faa6d01b8b7d7682dbcb099f893d74d6d"
    },
    {
      "name": "Dashboard",
      "path": "apps/dashboard/app.info.json",
      "version": "75916c1962aba781338d77e6f22cfe1dd522339c"
    },
    {
      "name": "Inventory",
      "path": "apps/inventory/app.info.json",
      "version": "a45b358582697a8d98f00e52fd775645896c3301"
    },
    {
      "name": "Remediations",
      "path": "apps/remediations/app.info.json",
      "version": "1de53dd4fde78fecae0693f46928f1cb4e397447"
    },
    {
      "name": "Vulnerability",
      "path": "apps/vulnerability/app.info.json",
      "version": "aa9b10ddc9a3c7bf55815f0461a6d7df99a21c3e"
    },
    {
      "name": "Compliance",
      "path": "apps/compliance/app.info.json",
      "version": "bf466714805dde6b308a0e09000273f9b0bb0b5e"
    },
    {
      "name": "Cost Management",
      "path": "apps/cost-management/app.info.json",
      "version": "4b2cd1760c34bf66a49c5b41241421722b27e7be"
    },
    {
      "name": "Advisor",
      "path": "apps/advisor/app.info.json",
      "version": "6a47a28fb5edd32d9cf2130b62df5c5bb63aab48"
    },
    {
      "name": "Drift",
      "path": "apps/drift/app.info.json",
      "version": "9a4e02d2bdf857ab201145a3f8467efa3bd75f15"
    },
    {
      "name": "Migration Analytics",
      "path": "apps/migration-analytics/app.info.json",
      "version": "7f37fa8e9fa0d29d8b1d7be8ba4cfe22979cdaff"
    },
    {
      "name": "Automation Hub",
      "path": "apps/automation-hub/app.info.json",
      "version": "5884daee9a75b899e0788324ab9cf61ede96af08"
    },
    {
      "name": "Automation Analytics",
      "path": "apps/automation-analytics/app.info.json",
      "version": "89f9692730b63bf77849b61bfd25950e68a21678"
    },
    {
      "name": "Policies",
      "path": "apps/policies/app.info.json",
      "version": "696887003b1c0635ca37a70f2da414886e95fc6c"
    },
    {
      "name": "Patch",
      "path": "apps/patch/app.info.json",
      "version": "1ab627ad8f5bd595ad851106502c8c4a8de80df8"
    },
    {
      "name": "Automation Services Catalog",
      "path": "apps/catalog/app.info.json",
      "version": "69a97e80b57a502d385ae1baa3511fe2cf3fad4e"
    },
    {
      "name": "Approval",
      "path": "apps/approval/app.info.json",
      "version": "c66c9c79437ee4360c712dc3fe28b0aa871c4148"
    },
    {
      "name": "Sources",
      "path": "apps/sources/app.info.json",
      "version": "4e4c53ac7a93e2c12e64b2bd86b1b09ad7192790"
    }
  ]
}

How reproducible:
Every time

Steps to Reproduce:
1. Create Cluster
2. Generate and dowload ISO
3. Boot nodes into ISO
4. Start Cluster installation
5. Make the following API request (substituting the cluster_id and host_id):
url: "https://api.stage.openshift.com/api/assisted-install/v1/clusters/{cluster_id}/hosts/{host_id}/progress"

X-Secret-Key: another user's pull secret

body:{"current_stage": "Failed"}

Actual results:
Request is accepted by assisted-service API and host moves into error state

Expected results:
Request to be rejected and return status code 404 Resource Not Found

Additional info:

Comment 1 Fred Rolland 2020-09-01 16:02:56 UTC

https://github.com/openshift/assisted-service/pull/264

Comment 2 nshidlin 2020-09-10 06:39:30 UTC

Verified on staging:
{
  "Username": "nshidlin",
  "CurrentApp": "Clusters",
  "ApplicationPath": "/openshift/assisted-installer/clusters/52e7f501-6cc8-4331-9f31-cc0c6003078e",
  "apps": [
    {
      "name": "Chrome",
      "path": "apps/chrome/app.info.json",
      "version": "8c3ed2ee756a054cfac24c7934bcc88a3ae3c8ee"
    },
    {
      "name": "Dashboard",
      "path": "apps/dashboard/app.info.json",
      "version": "12610ba3b722a2bba51124295802a40b03bfa059"
    },
    {
      "name": "Inventory",
      "path": "apps/inventory/app.info.json",
      "version": "a45b358582697a8d98f00e52fd775645896c3301"
    },
    {
      "name": "Remediations",
      "path": "apps/remediations/app.info.json",
      "version": "1de53dd4fde78fecae0693f46928f1cb4e397447"
    },
    {
      "name": "Vulnerability",
      "path": "apps/vulnerability/app.info.json",
      "version": "ef1fc91cb32ce6e574616f97a055948aaa5643fe"
    },
    {
      "name": "Compliance",
      "path": "apps/compliance/app.info.json",
      "version": "f99d6c5a0abd538054f1f63b60333a46415827f9"
    },
    {
      "name": "Cost Management",
      "path": "apps/cost-management/app.info.json",
      "version": "f2260b4db54da4bdb8aa5d507e8d5e232000fc5f"
    },
    {
      "name": "Advisor",
      "path": "apps/advisor/app.info.json",
      "version": "b098736672af8cc0b3f544094a695589d9371bf8"
    },
    {
      "name": "Drift",
      "path": "apps/drift/app.info.json",
      "version": "9a4e02d2bdf857ab201145a3f8467efa3bd75f15"
    },
    {
      "name": "Migration Analytics",
      "path": "apps/migration-analytics/app.info.json",
      "version": "7f37fa8e9fa0d29d8b1d7be8ba4cfe22979cdaff"
    },
    {
      "name": "Automation Hub",
      "path": "apps/automation-hub/app.info.json",
      "version": "5884daee9a75b899e0788324ab9cf61ede96af08"
    },
    {
      "name": "Automation Analytics",
      "path": "apps/automation-analytics/app.info.json",
      "version": "89f9692730b63bf77849b61bfd25950e68a21678"
    },
    {
      "name": "Policies",
      "path": "apps/policies/app.info.json",
      "version": "e928d3b90fde56f16cb008f06f9f54c9167b94ff"
    },
    {
      "name": "Patch",
      "path": "apps/patch/app.info.json",
      "version": "1ab627ad8f5bd595ad851106502c8c4a8de80df8"
    },
    {
      "name": "Automation Services Catalog",
      "path": "apps/catalog/app.info.json",
      "version": "98fb9e1bcca8681282b2e2f1c84391a4e454c1b9"
    },
    {
      "name": "Approval",
      "path": "apps/approval/app.info.json",
      "version": "76dbd9fc2ba4fbf99d00282bb48bf20c38cacf33"
    },
    {
      "name": "Sources",
      "path": "apps/sources/app.info.json",
      "version": "4e4c53ac7a93e2c12e64b2bd86b1b09ad7192790"
    }
  ]
}

Comment 5 errata-xmlrpc 2020-10-27 16:36:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196